I'm wanting to set up a network. I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch. In the book "building Internet firewalls"(o'reilly) this set up is described as a screened subnet architecture. However the external interface on the OpenBSD dedicated firewall will have to get it's I.P via dhcp (192.168.1.*) from the border router. That or it can be a static I.P on the same subnet as the border routers dhcp range 192.168.1.*(but outside the dhcp range) but that would be trickier. The internal interface of this dedicated firewall would be static and on a different subnet as the external interface (192.168.2.*). Then this internal interface could give out I.Ps to the internal network that are on 192.168.2.*. If it did N.A.T for packets from the internal network. But then N.A.T would be being done twice; once by the OpenBSD dedicated firewall and once on the border router, before going off to the net.
Or is it a better approach to NOT do N.A.T on the OpenBSD firewall and have all I.Ps on the whole network assigned as static(outside of the border router's dhcp range, but all on the same subnet(192.168.1.*))?.
Basically is there any point in the OpenBSD box doing dhcp and N.A.T for hosts on the internal network?. I guess the answer is no. But i just wanted to hear your opinions, if you have the time.
The border router is a home router. I wanted to have a normal triple-homed dedicated firewall and put it in the border router's DMZ but it proved unpredictable and tricky. So i just wondered what the best I.P addressing scheme would be for my newer way.
Thank you for your time. And fare ye well

And I don't do double NAT The Speedtouch does NAT.
Because the Speedtouch router only knows the 10.0.0.0 network it has to be told that incoming packets (the replies) for the 192.168.0.0 network have to be sent to the 10.0.0.200 interface.

In other words, this 10.0.0.200 interface is the gateway for the 192.168.0.0 network. On the Speedtouch I added the following static route:

The border router is just a home router. It's not very configurable. erm why wouldn't just assigning a static internal I.P address for hosts on the internal network work? and have all interfaces on the same subnet(192.168.1.*), just only the OpenBSD dedicated firewall's external interface get it's I.P via dhcp from the border router. I think with the border router that i've got at the moment i have to either do this or hope that it does N.A.T and routing for hosts on another private subnet i.e 192.168.2.*. And either do N.A.T twice or just try using the different subnets anyhow. It's just a home router though.
Thank you very much for your reply.

I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch.

It is not altogether clear from the information presented that the services purchased from your ISP will support such a structure.

Customarily, ISP's hand out a single IP address which is assigned via DHCP. This address is not typically a public address which is accessible from the outside world (work, school, public library, etc.), although the IP address assigned may not be what is typically classified as a non-routable RFC1918 private address. Most of the public doesn't need anything more than a single address (nor understands it...), & they don't need real public address so this is most likely the cheapest & most prevalent plan many ISP's provide to customers. It also doesn't require that ISP's allocate a public address solely for your use either. From the ISP's perspective, having to assign a real publicly accessible address to a single user involves a resource with higher value, so they charge more.

You mention having servers in front of the firewall. If all your ISP is providing is a single address, implementing a DMZ where multiple machines exposed to the Internet, each with their own static IP address goes into the domain of what ISP's classify as business accounts. Each server which is to independently be accessible from elsewhere on the Internet will need its own static IP address given the topology described. One option is to pay a monthly fee for each IP address, but this can quickly become costly. Publicly accessible IP addresses not yet allocated are dwindling in number. Expect to pay more for having them assigned to you.

The second flaw in what is described is that the firewall resides on the same switch as some number of servers & the connection to the ISP. These servers are getting no benefit of the firewall. For a firewall to have any effect, all traffic has to go through the firewall first. One possible way this can be done is to connect one interface of the firewall directly to the ISP connection, & another firewall interface to some internal switch. Assuming NAT has been configured, any number of clients & servers can sit on the internal side.

Otherwise, your message segues into questioning whether one should configure DHCP or simply assign internal addresses to the various hosts manually. This is a personal choice. Home environments don't typically have so many systems that DHCP saves a signficant amount of administration & maintenance, however it can make life simpler -- somewhat. It's your decision.

As for NAT, it only needs to be done once. Home environments do not require complicated topologies.

Lastly, when asking network topology questions, provide a diagram of what you intend to implement. Having a picture will clarify in your own mind what is going on, & it will certainly help anyone else attempting to make a useful response. What was initially described was the following:

Code:

internal network --- switch --- firewall --- switch --- ISP
|
servers

What I suspect you really want is the following:

Code:

internal network --- switch --- firewall --- ISP
|
servers

Not knowing the details of how you connect to your ISP, you may need some multiple-purpose device to be inserted between the firewall & ISP, but that detail is left for you to figure out. You may have already done so.

The border router has it's own firewall. The OpenBSD box was going to be just the firewall for the internal network. So i have a firewall protecting the servers(on the border router) and a firewall protecting the internal network. The OpenBSD box would just separate the internal network from the perimeter network and control access between these two areas. Like i say i tried to have the OpenBSD box as a triple-homed box that was in the border router's DMZ but this proved too tricky, due to the fact that the border router is just a home router.
What i needed to know is: Is it alright to have all interfaces apart from the OpenBSD dedicated firewall's external interface configured as static internal addresses that are all on the same subnet as the border router's internal interface(192.168.1.*) but are outside of the dhcp range(addresses that the border router gives out)?. Or should i assign a static internal I.P address for the OpenBSD box's internal interface that is on a different subnet to it's external interface(192.168.2.*) and then have this internal interface do dhcp and N.A.T for the internal network and give out addresses to the internal network that are on the 192.168.2.* subnet?.
So should i do:

Or should i just have all machines with static internal addresses(192.168.1.*) that are on the same subnet as the internal interface of the border router but outside of it's dhcp range?. Which is technically that best idea?. I realise that if the OpenBSD box is doing dhcp for the internal network then the addresses it gives out will have to be on a different subnet than the addresses given out via dhcp by the border router.
The diagram is slightly simplified. Obviously switches are involved(the servers and the OpenBSD box are on a switch that is attached to the border router. The internal host(s) are on a switch that is attached to the OpenBSD firewall box). Also i'm very sorry to keep bothering you all. I really am very grateful for all the help i'm getting. I understand if you don't want to help me any further.
Thank you for your time and replies.
Regards unixjingleman

The diagram doesn't look anything like it did when i drew it. I'm sorry i don't know why this is. It is meant to indicate that the border router's internal interface has an I.P of 192.168.1.254. The OpenBSD box is supposed to have an external I.P of 192.168.1.67. And an internal address of 192.168.2.10.

Right so having all the interfaces in the whole network on 192.168.1.* and static/outside of the dhcp range of the border router is alright. O.K please ignore my previous posts. That's all i wanted to know. Sorry to keep bothering you. Just ignore. I'll get on with building the network now. Unless there are any further points?. Does pf do N.A.T by default?.
Thank you so much for all the advice. It must be trying helping n00bs?.

Studying the PF User's Guide & the section on NAT will be highly worth your time.

Quote:

The diagram doesn't look anything like it did when i drew it.

vBulletin does strange things with code blocks. This can be corrected by repeated editing & previewing. Spacing gets munged, so what appears correct during editing will not display as intended.

The alternative is to attach a diagram created by some other means, but attachments take more time of potential responders. If your goal is for people to respond, making sure that messages have all information clearly presented upon first viewing helps. Personally, I don't care for attachments.